14.3 Investigation of Known Vulnerabilities

After performing full TCP and UDP port scanning, along with initial
investigation of accessible network services to qualify
nmap results and obtain further useful
information, you usually know enough to properly investigate known
vulnerabilities.

Sites such as MITRE CVE, SecurityFocus, ISS X-Force, and Packet Storm
provide bug details, along with publicly accessible exploit scripts.
To fully qualify vulnerabilities by hand, you often need to use such
tools. What follows is a breakdown of the results I obtained from
these sites in relation to the accessible network services I
identified in this case study.

14.3.1 Cisco IOS Accessible Service Vulnerabilities

Telnet, NTP, and SNMP services are accessible on the
Cisco IOS
12.2.8 router at 192.168.10.1. Through checking
MITRE CVE, SecurityFocus, and ISS X-Force, no remotely exploitable
issues were identified that affect this version of IOS.

Therefore, the two particular threats to this Cisco IOS router are
from:

OpenSSH 3.7.1 and prior contains buffer management errors, resulting
in denial of service or arbitrary code being executed.

CVE-2003-0695

N/A

13215

OpenSSH 3.7.1 and prior contains further buffer management errors.

From investigating CVE-2002-0639 in more detail, I find that OpenSSH
is only exploitable if SKEY or BSD_AUTH authentication methods are
supported (default under OpenBSD 3.x). Two public exploits for this
issue under OpenBSD have been released: although they
don't remotely exploit Solaris hosts, they are
available from:[1]

[1] URLs for tools in this book are
mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

Example 14-16 shows how to use the
gobblessh
patched OpenSSH client (from
sshutup-theo.tar.gz, as discussed in Chapter 4) check to see if the remote host supports
SKEY or BSD_AUTH authentication mechanisms.

In this case, both SKEY and BSD_AUTH
authentication mechanisms aren't supported, and so
the CVE-2002-0639 challenge-response exploit won't
be effective.

CVE-2003-0190, on the other hand, relies on a timing bug in OpenSSH
related to the PAM authentication mechanism. By searching Packet
Storm and SecurityFocus for exploit scripts and tools, I find a
useful tool, available at:

http://lab.mediaservice.net/code/ssh_brute.c

http://lab.mediaservice.net/code/openssh-3.6.1p1_brute.diff

The recent memory bugs and buffer management issues identified in
OpenSSH (CVE-2003-0682, CVE-2003-0693, and CVE-2003-0695) have no
publicly available remote exploit scripts. Due to the way that these
bugs are nested and rely on a number of variables for successful
remote exploitation, it is unlikely that reliable exploits will be
made publicly available.

The LSD security research team (http://www.lsd-pl.net) posted an excellent
technical analysis and discussion of the CVE-2002-1337
crackaddr( ) bug. To remotely exploit the Sendmail
service, useful data must exist after the static buffer in which the
overflow occurs, resulting in the execution path being disrupted
(commonly resulting in a crash).

LSD found that on most Unix platforms, the static buffer
isn't followed by such useful data. Their post to
the BugTraq mailing list in March 2003 contained the low-level
technical details, archived at http://www.securityfocus.com/archive/1/313757.
In particular, they found that Solaris 8 running Sendmail 8.11.6
doesn't crash when provided with the malformed email
address, and isn't, therefore, remotely exploitable.

At the time of writing, there are also no public tools or scripts to
exploit the recent Sendmail 8.12.9 prescan( ) bugs
(CVE-2003-0161 and CVE-2003-0694).

14.3.3 Windows 2000 Accessible Service Vulnerabilities

The two accessible ports on the
Windows 2000 server at
192.168.10.25 are both IIS 5.0 web service
instances. By enumerating the enabled IIS subsystems and components,
you can look through MITRE CVE and other vulnerability lists in an
efficient manner. Table 14-5 shows a list of known
remotely exploitable security issues relating to this IIS server, as
derived from MITRE CVE, SecurityFocus, and Microsoft security
bulletin databases.

After assembling a list of serious remotely exploitable
vulnerabilities, visit Packet Storm, SecurityFocus, and underground
web sites to assemble a toolkit. You can find the exploits at the
following URLs.